Oracle Java Audit Letter: The First 7 Steps to Take

What does an Oracle Java audit letter look like?

Almost no Oracle Java audit begins with the word "audit." The first contact is usually an email from your existing Oracle account manager, written in deliberately casual language: "We're conducting a routine Java SE review and would appreciate confirmation of your current usage," or "Oracle is reaching out to customers about Java SE licensing changes — can we schedule a quick call?" Sometimes it arrives from a "Java licensing specialist" or Oracle's GLAS (Global Licensing and Advisory Services) team. The tone is helpful, not adversarial. That is by design.

This is what the industry calls a "soft audit" — a commercial review that has all the data-gathering objectives of a formal audit but none of the contractual formality. Oracle's agenda is consistent: convert your organization onto the Java SE Universal subscription, which is priced on your total employee headcount rather than actual Java use. Under that metric, every employee counts, whether or not they ever touch Java. For background on how that pricing model works and why it is so costly, see our Oracle Java licensing guide.

A smaller share of letters are formal LMS (License Management Services) audit notices, issued under the audit clause of your Oracle license agreement. These reference your contract, set a defined response window and carry genuine contractual weight. The first thing to establish, before anything else, is which of the two you are holding — because your obligations and your leverage differ completely. The broader mechanics of both routes are covered in our Oracle audit guide.

Why shouldn't you reply immediately?

The instinct after receiving an Oracle letter is to respond quickly and helpfully — to demonstrate good faith. That instinct works against you. Oracle's Java review process is engineered so that the customer's first reply is also their most damaging. A same-day answer signals you have no internal process, no independent advisor and no idea what your real exposure is. It invites Oracle to set the pace.

Nothing in a soft-audit email requires an instant answer. Even a formal LMS notice gives you a response window measured in weeks, not hours, and that window is usually negotiable. The few days after the letter arrives are the most valuable in the entire process: they are the only time you control the timeline, before Oracle has anchored a number or pulled you into a cadence of calls. Use them to prepare, not to react.

What are the first 7 steps to take?

The following seven steps are the sequence we walk clients through in the first week after an Oracle Java audit letter lands. Follow them in order — each one preserves leverage for the next.

1. Do not reply immediately. Acknowledge the letter internally and log the date received, but do not respond to Oracle the same day. Treat the email as the opening move in a negotiation, not a request for help. A short delay costs you nothing and signals that you have a process.
2. Identify whether it is a soft audit or a formal audit. Read the letter against your contract. Does it cite the audit clause of your Oracle license agreement and set a formal window, or is it an account-team "review" with a friendly tone? If it is informal, you are not contractually obligated to participate. If it is formal, you must cooperate reasonably — but you still control how and when.
3. Control the scope and the channel. Nominate one named internal contact — typically procurement or a licensing lead, not an engineer — and route every Oracle communication through that person. Confirm in writing exactly which legal entities, products and time period are in scope. Do not let the conversation expand quietly from "Java SE" to your whole estate.
4. Request an NDA and written clarification. Ask Oracle to state, in writing, the legal basis for the request, the precise scope, and how any data you provide will be used. Ensure a confidentiality agreement covers anything you disclose. This is reasonable, professional and routinely slows Oracle's pace while protecting you.
5. Never run Oracle's scripts blindly. Do not execute Oracle's Java discovery scripts or complete its self-assessment questionnaire without independent review. These tools over-report by counting free OpenJDK builds, third-party distributions like Amazon Corretto or Eclipse Temurin, and embedded ISV runtimes as licensable Oracle JDK. Once submitted, the data cannot be withdrawn.
6. Run your own independent baseline first. Before any data leaves your organization, build a forensic internal Java inventory that distinguishes Oracle JDK from OpenJDK and other distributions, records version histories, and flags embedded ISV runtimes. This baseline is the evidence that lets you push back on Oracle's numbers rather than accept them.
7. Get independent buyer-side advice fast. Engage an independent, buyer-side Oracle Java licensing advisor before your first substantive call with Oracle — while you still control the timeline. An advisor who has sat on Oracle's side of these conversations knows the playbook and can frame both the technical challenge and the commercial negotiation from the start.

None of these steps are confrontational. They are simply the difference between responding on Oracle's terms and responding on yours. Our Oracle Java audit defense service exists to run this exact sequence on your behalf, from the first letter to final resolution.

Is a Java review the same as a formal audit?

No — and the distinction is the most consequential thing to establish in step two. A formal LMS audit is an exercise of the audit rights written into your Oracle license agreement. It obliges you to cooperate reasonably within a defined window, but those same contractual terms also limit Oracle: it can only audit compliance with the specific products and metrics in your agreement, not conduct an open-ended inspection of your infrastructure.

A Java SE "review" or soft audit, by contrast, is a commercial conversation initiated by your account team. You have no contractual obligation to run their scripts, share inventory or even take the call. Customers routinely hand Oracle data in a soft audit that Oracle could never have compelled in a formal one — because the friendly framing makes it feel like cooperation rather than disclosure. Understanding which process you are in tells you exactly how much you are obligated to give and how much leverage you hold.

According to Oracle Licensing Experts (2026), the Java SE Universal Employee metric can cost an enterprise five to ten times more than the equivalent Named User Plus (NUP) deployment it replaced — which is precisely why Oracle works so hard to move customers onto it, and why the first response to a Java letter carries such weight. With 25+ years of combined Oracle licensing experience and a 100% Java audit defense record, our team has seen every variant of this opening move.

Should you run Oracle's Java scripts?

Not without independent review — and never as your first action. Oracle's Java discovery scripts and self-assessment questionnaires are presented as a neutral measurement, but in practice they are calibrated to maximise the licensable count. They scan for Java binaries across servers and desktops and, critically, they frequently fail to distinguish Oracle JDK from the many free and third-party distributions that Oracle has no right to charge for.

In the inventories we review, a large share of "Oracle Java" installations turn out to be OpenJDK, Amazon Corretto, Azul Zulu, Eclipse Temurin or Red Hat builds — none of which require an Oracle subscription. Others are runtimes embedded inside third-party ISV applications, licensed by the vendor, not by you. A script run by your own team, or worse, by Oracle, sweeps all of these into one number. That number becomes Oracle's opening claim, and because you reported it, it is far harder to walk back.

The correct order is the reverse of what Oracle proposes: build your own forensic baseline first, classify every installation by distribution and entitlement, exclude what is not yours, and only then decide what, if anything, to share. This is the heart of buyer-side Oracle Java licensing advisory — controlling the evidence before Oracle does.

How do the timeline dynamics work?

Oracle's Java audit process is built around time pressure. Soft-audit emails often include an artificial deadline — "we'd like your response by the end of the month" — that carries no contractual force whatsoever. Formal LMS notices set a genuine window, typically 30 to 45 days, but even that is usually negotiable when you ask professionally and in writing. In both cases, the clock is a lever, and Oracle controls it only if you let it.

The dynamic to understand is that every day of urgency favors Oracle's number. A rushed response means an incomplete baseline, an over-reported inventory and a customer negotiating from a position of fear. A measured response — acknowledging the letter, clarifying scope, building your own evidence — flips that pressure back. The reason step one is "do not reply immediately" is that the first reply is where most of the timeline leverage is won or lost.

Used well, the first week buys you the months you need. By confirming scope, requesting an NDA and presenting your own classified inventory, you reset the conversation onto a timeline that serves your preparation rather than Oracle's quota. From there, the historical claim becomes contestable and the forward subscription becomes negotiable — which is exactly where you want to be before the first real number is ever discussed.

Frequently Asked Questions